Exploit Protection policy for Windows 10/11

This repository contains a custom Exploit Protection policy, that should not interfere with most popular apps and day-to-day tasks.

The policy is a mix of several policies (+ custom modifications):

• DISA STIG Exploit Protection v3 (part of the Windows 10 package)
• Microsoft Secure Baseline Exploit Protection policy for 1809 systems (has been removed from later baselines for compatiblity reasons)
• milgradesec's awesome Exploit Protection policy

System-Wide Mitigations

The following Exploit Protection mitigations are applied system-wide by default:

• Control Flow Guard (CFG):
  • Enabled
  • Suppress Exports: Disabled
  • Strict CFG: Disabled
• Data Execution Prevention (DEP):
  • Enabled
  • ATL Thunk Emulation: Disabled
• Address Space Layout Randomization (ASLR):
  • Force Relocate Images: Enabled
  • Require ASLR on DLLs: Disabled
  • Bottom-Up ASLR: Enabled
  • High Entropy ASLR: Enabled
• Structured Exception Handling Overwrite Protection (SEHOP):
  • Enabled
• Heap Protection:
  • Terminate on corruption: Enabled
• Strict Handle Checks:
  • Enabled
• System Call Restrictions:
  • Audit Win32k System Calls
  • Audit FSCTL System Calls
• Extension Point Disabling:
  • Enabled
• Font Disabling:
  • Disable Non-System Fonts
• Payload Restrictions:
  • Export Address Filtering (EAF): Enabled
  • Export Address Filtering Plus (EAF+): Enabled
  • Import Address Filtering (IAF): Enabled
  • ROP Stack Pivot Protection: Enabled
  • ROP Caller Check Protection: Enabled
  • ROP SimExec Protection: Enabled
• Child Process Restrictions:
  • Audit Child Process Creation
• Image Load Restrictions:
  • Block Low-Label Image Loads
  • Block Remote Image Loads
  • Prefer System32 Images
• Dynamic Code Restrictions:
  • Audit Dynamic Code
• Signed Binary Restrictions:
  • Microsoft Signature Not Required
  • Store Signed Binaries Not Allowed
  • Enforce Module Dependency Signing
  • Audit Enforce Module Dependency Signing
• User-mode Hardware-enforced Stack Protection (Shadow Stack):
  • Audit

Applied Mitigations per Application

This section details the specific Exploit Protection mitigations applied to individual applications as configured in this policy.

7z.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Enforce Module Dependency Signing

7zFM.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Enforce Module Dependency Signing

7zG.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Enforce Module Dependency Signing

7za.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Enforce Module Dependency Signing

Acrobat.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

AcroRd32.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

AMDAutoUpdate.exe

• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

amdfendrsr.exe

• Strict Handle Checks: Disabled

C:\Program Files\Dell\Dell Peripheral Manager\DPM.exe

• Font Disabling: Non-System Fonts Allowed

C:\Program Files\VMware\VMware Tools\vmtoolsd.exe

• Strict Handle Checks: Disabled

C:\Windows\explorer.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Disabled
• Font Disabling: Disable Non-System Fonts

C:\Windows\System32\AggregatorHost.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\audiodg.exe

• Strict Handle Checks: Enabled
• Child Process Restrictions: Disallow Child Process Creation

C:\Windows\System32\csrss.exe

• Font Disabling: Non-System Fonts Allowed

C:\Windows\System32\ctfmon.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting
• Font Disabling: Disable Non-System Fonts
• Child Process Restrictions: Disallow Child Process Creation

C:\Windows\System32\dasHost.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\fontdrvhost.exe

• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting
• Font Disabling: Disable Non-System Fonts
• Child Process Restrictions: Disallow Child Process Creation

C:\Windows\System32\lsass.exe

• Extension Point Disabling: Enabled
• Child Process Restrictions: Disallow Child Process Creation
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\SecurityHealthService.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code

C:\Windows\System32\SecurityHealthSystray.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code

C:\Windows\System32\SearchFilterHost.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Allowed
• Child Process Restrictions: Disallow Child Process Creation

C:\Windows\System32\SearchIndexer.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\SearchProtocolHost.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Allowed
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting
• Child Process Restrictions: Disallow Child Process Creation

C:\Windows\System32\SgrmBroker.exe

• System Call Restrictions: Disable Win32k System Calls

C:\Windows\System32\sihost.exe

• Strict Handle Checks: Enabled
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\smartscreen.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Allowed
• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\spoolsv.exe

• Dynamic Code Restrictions: Allowed, Audit Dynamic Code
• Strict Handle Checks: Enabled
• Signed Binary Restrictions: Microsoft Signature Not Required, Store Signed Binaries Not Allowed by this setting, Audit Signed Binaries (General)
• Child Process Restrictions: Allowed, Audit Child Process Creation

C:\Windows\System32\svchost.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Control Flow Guard (CFG): Enabled, Suppress Exports, Strict CFG
• Font Disabling: Disable Non-System Fonts
• Extension Point Disabling: Enabled
• Signed Binary Restrictions: Microsoft Signature Not Required, Store Signed Binaries Not Allowed by this setting, Audit Store Signed Binaries
• Dynamic Code Restrictions: Allowed

C:\Windows\System32\taskhostw.exe

• Signed Binary Restrictions: Microsoft Signature Not Required, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\userinit.exe

• Font Disabling: Non-System Fonts Allowed

C:\Windows\System32\vmcompute.exe

• Control Flow Guard (CFG): Enabled, Suppress Exports, Strict CFG

C:\Windows\System32\vmwp.exe

• Control Flow Guard (CFG): Enabled, Suppress Exports, Strict CFG

C:\Windows\System32\wininit.exe

• Dynamic Code Restrictions: Block Dynamic Code

C:\Windows\System32\winlogon.exe

• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signature Not Required, Store Signed Binaries Not Allowed by this setting
• Font Disabling: Non-System Fonts Allowed

C:\Windows\System32\wlanext.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signature Not Required, Store Signed Binaries Not Allowed by this setting

C:\Windows\System32\WUDFHost.exe

• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code

chrome.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Require ASLR on DLLs, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• System Call Restrictions: Win32k System Calls Allowed
• Child Process Restrictions: Allowed
• Extension Point Disabling: Enabled
• Dynamic Code Restrictions: Allowed

Code.exe

• System Call Restrictions: Win32k System Calls Allowed
• Strict Handle Checks: Disabled

Docker Desktop.exe

• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

dockerd.exe

• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

driverscloud.exe

• Font Disabling: Non-System Fonts Allowed

EXCEL.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

ExtExport.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images

firefox.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

fltldr.exe

• Data Execution Prevention (DEP): Enabled
• Image Load Restrictions: Remote Image Loads Allowed, System32 Images Not Preferred, Low-Label Image Loads Allowed
• Child Process Restrictions: Disallow Child Process Creation
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

GamingServices.exe

• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

GROOVE.EXE

• Data Execution Prevention (DEP): Enabled
• Image Load Restrictions: Remote Image Loads Allowed, System32 Images Not Preferred, Low-Label Image Loads Allowed
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection
• Child Process Restrictions: Disallow Child Process Creation

HfcDisableService.exe

• Strict Handle Checks: Disabled

ie4uinit.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images

ieinstal.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images

ielowutil.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images

ieUnatt.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images

iexplore.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Disabled
• System Call Restrictions: Win32k System Calls Allowed
• Extension Point Disabling: Allowed
• Dynamic Code Restrictions: Allowed
• Control Flow Guard (CFG): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection, EAF Modules (mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll;vgx.dll;)

INFOPATH.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

java.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection
• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

javaw.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection
• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

javaws.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection
• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

JOSM.exe

• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

LYNC.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

MEInfoWin64.exe

• Strict Handle Checks: Disabled
• Control Flow Guard (CFG): Enabled
• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Structured Exception Handling Overwrite Protection (SEHOP): Enabled

mmc.exe

• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

MpCmdRun.exe

• Signed Binary Restrictions: Microsoft Signature Not Required, Store Signed Binaries Not Allowed by this setting, Audit Store Signed Binaries

MSACCESS.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

mscorsvw.exe

• Extension Point Disabling: Enabled

msedge.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Require ASLR on DLLs, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• System Call Restrictions: Win32k System Calls Allowed
• Extension Point Disabling: Enabled

msfeedssync.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images

mshta.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images

MsMpEngCP.exe

• System Call Restrictions: Win32k System Calls Allowed

MSPUB.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

ngen.exe

• Extension Point Disabling: Enabled

ngentask.exe

• Extension Point Disabling: Enabled
• User-mode Hardware-enforced Stack Protection (Shadow Stack): Disabled

NisSrv.exe

• Signed Binary Restrictions: Microsoft Signed Only, Store Signed Binaries Not Allowed by this setting

notepad++.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Allowed, Audit Dynamic Code
• Signed Binary Restrictions: Enforce Module Dependency Signing
• Child Process Restrictions: Allowed, Audit Child Process Creation
• Font Disabling: Disable Non-System Fonts

OIS.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

ONEDRIVE.EXE

• Data Execution Prevention (DEP): Enabled
• Image Load Restrictions: Low-Label Image Loads Allowed, Block Remote Image Loads, System32 Images Not Preferred
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection
• Child Process Restrictions: Allowed
• Font Disabling: Non-System Fonts Allowed
• Dynamic Code Restrictions: Allowed

OUTLOOK.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

plugin-container.exe

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

POWERPNT.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

PPTVIEW.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

PresentationHost.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Structured Exception Handling Overwrite Protection (SEHOP): Enabled
• Heap Protection: Terminate on corruption

PrintDialog.exe

• Extension Point Disabling: Enabled

qbittorrent.exe

• Strict Handle Checks: Disabled

Regsvr32.exe

• Image Load Restrictions: Block Low-Label Image Loads, Block Remote Image Loads

RstMwService.exe

• Strict Handle Checks: Disabled

rundll32.exe

• Image Load Restrictions: Block Low-Label Image Loads, Block Remote Image Loads

runtimebroker.exe

• Extension Point Disabling: Enabled

scc.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Disabled

scc64.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Disabled

SeqZ.exe

• Strict Handle Checks: Disabled

SetupHost.exe

• Strict Handle Checks: Disabled

ssh-agent.exe

• Extension Point Disabling: Enabled
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Microsoft Signature Not Required, Store Signed Binaries Not Allowed by this setting

SystemSettings.exe

• Extension Point Disabling: Enabled

Teams.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Require ASLR on DLLs, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Extension Point Disabling: Enabled
• Child Process Restrictions: Allowed, Audit Child Process Creation
• Dynamic Code Restrictions: Allowed, Audit Dynamic Code

transmission-qt.exe

• Font Disabling: Non-System Fonts Allowed

VISIO.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

vlc.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Child Process Restrictions: Disallow Child Process Creation, Audit Child Process Creation
• Font Disabling: Disable Non-System Fonts

VPREVIEW.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

WINWORD.EXE

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

WinRAR.exe

• Address Space Layout Randomization (ASLR): Force Relocate Images, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Dynamic Code Restrictions: Block Dynamic Code
• Signed Binary Restrictions: Enforce Module Dependency Signing
• Child Process Restrictions: Disallow Child Process Creation, Audit Child Process Creation

wmplayer.exe

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

wordpad.exe

• Data Execution Prevention (DEP): Enabled
• Payload Restrictions: Export Address Filtering (EAF), EAF+, Import Address Filtering (IAF), ROP Stack Pivot Protection, ROP Caller Check Protection, ROP SimExec Protection

Zoom.exe

• Data Execution Prevention (DEP): Enabled
• Address Space Layout Randomization (ASLR): Force Relocate Images, Require ASLR on DLLs, Bottom-Up ASLR, High Entropy ASLR
• Strict Handle Checks: Enabled
• Extension Point Disabling: Enabled
• Child Process Restrictions: Allowed, Audit Child Process Creation
• Dynamic Code Restrictions: Allowed, Audit Dynamic Code

Bug report

If you suspect that a legitimate use is blocked by this policy, please check in your Event Logs and provide the blocking event details in your Issue ticket.